Protecting Brand Identity in Email

Watch the 12-minute video here or on Youtube, or read the transcript below.

Transcript

JULIA JANSSEN-HOLLDIEK: Tobias, what is brand identity from a marketing versus a technical perspective? 

TOBIAS HERKULA: I think the biggest difference is that brand identity from a marketing perspective, it’s like an overall view about how a brand is perceived by end users and other entities on the market. And from a technical perspective, it's a very limited view: to point at where you want to have anchors you can use to pinpoint reputation, trust – whatever you want to call it in the end – because there are multiple dimensions to that. But that's a single point you normally use to pinpoint all this relationship data into – and most likely it's a domain.

JANSSEN-HOLLDIEK: I like the way you previously defined reputation as computational trust. 

HERKULA: Yeah. Computational trust: it's a much better way to describe the concept behind this artificial description, this singular word of reputation, that has been constantly in use at least for the last decade in handling email traffic; because computational trust is much more precise in describing what we really do as a vendor or on the receiver side of emails. Because we don't have an artificial scale where we simply pinpoint you like: “You’re this” or “You're this”, no you're perhaps more greenish or more reddish. It's more like we have a multitude of factors that are computed in a way that in the end more or less describe the relationship vector to describe how much we trust you. So computational trust is a much more interesting form to describe what we are after as an anti-spam provider but also in the mailbox provider community as a whole.

JANSSEN-HOLLDIEK: And how do you nurture and protect brand identity from a technical side?

HERKULA: Nurturing brand identity from a technical perspective is making sure that you only use stuff you have control over. That's the most important factor. It doesn't mean that specific thing you need control over, but only using stuff you can control – like you have control over your own domain because you buy your domain, you choose the name you're using, and you should stick to that. Don't try to use external servers that do not provide the amount of control you need to nurture your brand.

In my presentation I used the example with a CDN. From a technical perspective, it's totally legit to put all your static resources on a CDN because you want to have fast loading times and all the stuff associated with your website, with your email campaign, perhaps even with your messaging stuff like WhatsApp, Telegram, whatever. But if you do that, then make sure you're going this extra mile and personalize it so that even the CDN network is using your domain, your trust anchor, to provide these additional features.

So that's a way to nurture that and also a way to grow that. Because if you centralize it to a single point of control, it's much easier to protect that for the future, because then suddenly you only need to make sure that there are dedicated processes that describe how you change stuff in that specific domain. Not domain as a technical term for a website, but domain even for the classical description of: that's the sphere you have control over, and that's the sphere you want to protect. And you don't want to pierce holes into that from all the sites simply because one of your employees is too lazy to set it up in the right way.

JANSSEN-HOLLDIEK: Why do you think brands still have a low incentive to secure their communications channels? 

HERKULA: In most cases I think the easiest answer there is budget. Even if you normally think of marketing budgets – they are most likely very broad, or at least they try to be broad. At least that's one of the things that an MBA would do: move money into a budget bucket if it's for marketing, because marketing is a very efficient way to grow your user base, and if you grow your user base you normally make more money. So it's a natural thing to do. But they are mainly focusing on achieving specific goals, but not on how they achieve them. So there is currently not that much of an incentive to secure all these things you want to do in marketing, because most people still think that, “Oh, it would not happen to me”. Like we have these big numbers of breaches in the last couple of years. I will not bring up brand names now because…

JANSSEN-HOLLDIEK: We're neutral! 

HERKULA: Yeah. Most people know the brand names that are affected by the last big breaches and perhaps if you're looking into this format again in a half a year, there will be other brands affected by big breaches. Because I'm pretty sure it will continue at least for the next three to five years – we will see much bigger breaches again.

Because it's still not in the focus – there is only nowadays a trend to bring up a C-level executive who is responsible for the security of a company. Like the term CISO is nothing that showed up 5 or 10 years ago – it's something that showed up last year or this year. That bigger companies are trying to push people who are responsible for the overall information security for a company - that's pretty new, because it's still not yet recognized as a big risk factor.

But GDPR changed a lot for that. GDPR with all these fines associated with it – the scaremongering about the fines – that helped a lot to bring this into the focus of investors and people who are responsible for whole companies or even for all complex relationships between multiple global entities.

JANSSEN-HOLLDIEK: So, if I got it right, it's more an organizational problem. So actually you should, rather than calculating an ROI behind an implementation for, let's say DMARC, you should probably also calculate the risk behind that, so you can compare the investment you have to take to secure the communication channels. That awareness is still probably missing, right? 

HERKULA: It's an awareness problem. I think from a processing or from an organizational perspective it's already there. If you're a company that is interested in ISO 27001, then you already do that – and you're now forced to do that as well for GDPR.

And that helps a lot, because the GDPR is a much more talked-about topic than an ISO certification. ISO 27001 is expensive and you have to invest a lot of time and a lot of effort to get that right. Especially if you want your whole company being certified by it. And with that comes the risk assessment. You have to describe every risk you have for every channel you use.

And one of the things you can optimize with your brand protection strategy and your brand nurture strategy is that you reduce the vectors that could be at risk. Because if you have only one, or a very defined set of sources, or a defined set of spheres where you have to have security, then it's also only a very limited set of things where you have to do risk assessment on. And that makes it much easier to get the certification in this way.

JANSSEN-HOLLDIEK: So for the future, what is your vision about improving consumer trust in email? 

HERKULA: There are multiple things. So we are on the right track with BIMI nowadays, we have this interactivity thing with AMP, and schema.org data – like, machine-readable data in email. And I think that's a good way to get to consumer base or the end user base into a situation where they can use email again in a way to optimize how they interact with information and data as a whole.

Because it's much easier if I can simply press a button and get my airplane ticket directly added into my mobile phone wallet and that's automatically more or less working. And that's very nice. We're not there yet. There are a lot of hurdles there that still need to be solved. There are a lot of problems in there, in interop. problems. Schema.org is nice, but I'm pretty sure it will be replaced by something better, that is much more precise on what kind of data I have and how it should be displayed.

And there's one missing thing currently: it’s the back channel. Like if everything's automated – extracted automatically out of my email – so I don't have the email on its own anymore in my mailbox, then how do the senders of that email know that I interacted with it? That feedback loop is not there. I'm pretty sure that there will be a collision between the old way of doing things in email and the new way of doing things and email, because suddenly you have much less control about...

JANSSEN-HOLLDIEK: KPIs, right? 

HERKULA: Yeah. It's about redefining the KPIs that are currently used to argue for a return on investment in technology for email. In the past, it was like, you have to use engagement, and you have to do this, and that, and that, and now if you don't get this engagement data anymore because there is no active open link, click in an email anymore, then you perhaps should reconsider how you measure your return on these kind of campaigns. And that's one thing that's missing.

We heard today that there are plans from bigger corporations to provide these kinds of data in the future. There are already some brands out there that are already doing it, and I'm pretty sure we will see much more data-driven email handling in the future. Because that's the thing it should be. It should be automated. It shouldn't matter if I'm looking at an email on a desktop PC, on a mobile phone, or perhaps on my smartwatch, or in my car.

Perhaps it is Alexa, Siri, whoever you call it, Cortana – there are so many of them nowadays – who is reading that data for me, and I don't care if there is a lot of information in that email. I only care about, “Oh yeah, that's the next concert I want to go to and my tickets arrived”. And that that's all the information that is necessary for me. I don't need the pictures loaded or to click on a link. I got the tickets. It's automatically added into my wallet, and that's how it should be.

Tobias Herkula manages the Anti Spam Research Team and is leading the associated product developments at Cyren. He is passionate about technical email standards, specifically in the field of anti-abuse and deliverability. Before Cyren, Tobias was responsible for Episerver's messaging infrastructure and industry relationships.